Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Baden-Württemberg: Public Procurement Chamber finds possibility of data access by third country contrary to GDPR

The Public Procurement Chamber of Baden-Württemberg issued, on 13 July 2022, a decision regarding the question of whether it is unlawful that US providers of digital servers and/or cloud services can provide their services via European subsidiaries, in light of the Court of Justice of the European Union's ('CJEU') decision in the Schrems II Case, despite the use of Standard Contractual Clauses ('SCCs').

Facts of the Decision

The question had arisen in the context of a tender process for the procurement of software for digital services, whereby an unsuccessful bidder had challenged the award of the contract to the successful bidder, due to its failure to comply with data protection laws. As such, the unsuccessful bidder requested a review of the bid and the successful party's exclusion from the evaluation procedure.

The chamber reviewed the bid and noted that the data protection violations that the successful bidder had been accused of concern Article 44 et seq. of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), since the bidder processed personal data on servers that third countries (particularly the US) may have access to, and that the unsuccessful bidder had argued that the possibility that such access constituted data processing, i.e. a data transfer within the meaning of Article 44 of the GDPR.

Findings of the Chamber

In this regard, the chamber found that a transfer of personal data to a third country is unlawful under data protection law if the relevant server is operated by a company based in the EU, which is also part of a US group. As such, the chamber held that the 'mere possibility' that personal data can be accessed by the US parent company leads to a transfer within the meaning of the GDPR, regardless of whether the US parent company actually accesses the personal data.

Notably, OneTrust DataGuidance confirmed this development with Philipp Quiel, Counsel at Piltz Legal, who commented that, ''on one hand, it may be possible that the legal provisions dealing with the procurement procedure may include the need to make a prognostic decision. However, this is not a question relating to data protection law. On the other hand, the chamber specifically decided that using the relevant service is a violation against data protection law because using the service entails an unlawful data transfer in accordance with Article 44 et seq. of the GDPR. In this context, it is odd that no data was send to a third country and that there was no access from a third country to data stored in the EU. The tribunal decided that Article 44 et seq. GDPR were already violated by the mere possibility that data could theoretically be transferred to a third country''.

Moreover, Quiel outlined that ''the European Data Protection Board ('EDPB') seems to also think that a data transfer already occurs where an access to data is provided regardless if the access possibility was indeed used to access data''. 

Quiel also noted that, ''to our understanding, a data transfer in terms of Article 44 et seq. of the GDPR always requires some form of processing of personal data in the sense of Article 4(2) of the GDPR. In case there is a mere possibility that data could be transferred to a third country (for example, because there is a possibility to access data from a third country), this is not sufficient to qualify as a form of processing of personal data. Therefore, a mere possibility of a data processing taking place due to an access possibility from a third country cannot mean that there is a data transfer occurring. If each access possibility would already mean that there are data transfers taking place (without there even being a form of processing of personal data) this would result in strange outcomes''. 

Quiel concluded, however, that ''in the case the chamber decided on, it was contractually agreed that for certain purposes data transfers were foreseen. Therefore, it is still true that no data was actually transferred but one must also acknowledge that it was agreed that data may be transferred to third countries for certain purposes''.

UPDATE (15 August 2022)

LfDI Baden-Württemberg releases statement on Public Procurement Chamber's decision

The Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') issued, on 15 August 2022, a statement addressing the decision of the Public Procurement Chamber issed on 13 July 2022. In particular, the LfDI Baden-Württemberg noted that the decision bears a significance that goes beyond the initial case, which resulted from an official procurement procedure. However, the LfDI Baden-Württemberg highlighted that the decision should be viewed critically for the following reasons:

  • the procedure had clauses on the subject of the examination which, from the point of view of the Public Procurement Chamber, still fell short of the requirements of the SCCs that can currently be used. Further to this, the LfDI Baden-Württemberg poined out that the Public Procurement Chamber does not seem to have consistently succeeded in accessing the relevant contract clauses;
  • clauses prohibiting data transfers that do not leave it to the data exporter to assess which requests from third government agencies go too far and do not provide for a challenge to all government requests without exception appear to be problematic; and
  • the equating of access risk and transmission (as a form of processing according to Article 4(2) of the GDPR) made by the Public Procurement Chamber is legally questionable. 

In light of the above, the LfDI Baden-Württemberg took the view that the provisions of its orientation guide on data transfers remain valid even after the decision of the Public Procurement Chamber, and outlined that individual case-related alternative tests, and not blanket transfer bans, are still the means of choice to implement the specifications of the GDPR in the best possible way.

You can read the statement, only available in German, here.

UPDATE (8 September 2022) 

Baden-Württemberg: Public Procurement Chamber's decision rendering use of EU subsidiary of US group unlawful overturned

The Karlsruhe Higher Regional Court ('the Court') issued, on 7 September 2022, its decision in Case No. 15 Verg 8/22, in which it overturned a lower court's decision, namely, the Public Procurement Chamber's decision of 13 July 2022, to reject an unsuccessful bidder's request for review of the tender award, following an appeal on the same. 

Background to the case

In particular, the Court stated that, at the request of an unsuccessful bidder in a procurement procedure for a review of the tender award, the lower court had decided that the successful bidder should be excluded from the procurement process due to its violation of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which rendered the bid incompatible with the requirements of the tender documents. In this regard, the Court further noted that such a decision was made since the lower court considered that the successful bidder's use of a Luxembourg subsidiary of a US group as a service provider in its bid gave rise to the possibility that personal data can be accessed by the US parent company, leading to a 'transfer' within the meaning of the GDPR, regardless of whether the US parent company actually accesses the personal data. 

Findings of the Court

Notably, the Court upheld the appeal lodged against the lower court's decision and found that since the successful bidder had made clear assurances about the content of the contract between it and the Luxembourg service provider, which iterated that data may only be transmitted to the Luxembourg subsidiary, processed solely by it without exception, and processed only in Germany, it could be assumed that the bidder will fulfil the contractual commitments specified. As such, the Court explained that it should not be assumed that due to the group affiliation tying the subsidiary to the US, the subsidiary would receive or follow illegal instructions from the US parent company. Consequently, the Court noted that the bid had not deviated from the data protection and IT security requirements specified in the tender and that therefore there was no reason to exclude the successful bidder's offer from the award procedure. 

Outcomes

Ultimately, the Court overturned the lower court's decision and rejected the application to exclude the successful bidder's offer from the award procedure. In this regard, the Court noted that its decision is final. 

You can read the press release, only available in German, here.